Linux Kernel Vulnerabilities

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, Telnet, sharutils, Ethereal, Midnight Commander, mpg321, OpenMosixView, cdrecord, ImageMagick, and grip.

Linux Kernel Problems

Vulnerabilities have been reported in various Linux kernels, including: a problem in epoll system calls that may be exploitable to gain root permissions; a buffer overflow when writing to sysfs; a buffer overflow in the MoxaDriverIoctl() function; several network bases remotely exploitable to denial-of-service attacks; overflows in the roc_file_read() and locks_read_proc() functions; a problem with the copy_from_read_buf() that may be exploitable to read kernel memory; a locally exploitable denial-of-service attack vulnerability in the PPP code; a bug in the ext2 and ext3 filesystems that could result in default ACLs disappearing; and a denial-of-service attack based on a bug in the VC_RESIZE ioctl that may be exploitable by a user logged in on a console.

It is recommended that all Linux users watch their vendors for a kernel package that addresses these issues. SuSE has released packages for SuSE Linux 8.2, 9.0, 9.1, 9.2; SUSE Linux Desktop 1.0; SUSE Linux Enterprise Server 8 and 9; and Novell Linux Desktop 9.

Telnet

Multiple Telnet clients are vulnerable to a buffer overflow that may, under some conditions, be exploitable by a remote attacker who controls a Telnet daemon that the victim attempts to connect to. The buffer overflow is located in telnet.c in the opt_add() function. If the attacker successfully exploits this buffer overflow it would allow the execution of arbitrary code on the victim's machine with the victim's permissions. It is possible that the attacker could trick the victim into initiating a Telnet connection through a "telnet://" HTML link. Operating systems known to be affected by this buffer overflow include: Solaris 7, 8, 9, and 10; Red Hat Linux; FreeBSD, Mac OS X; ALT Linux; Ubuntu 4.10; and Gentoo Linux.

All affected users should watch their vendors for a repaired version of Telnet and upgrade as soon as possible.

sharutils

A buffer overflow in the shar achieve utility may, under some conditions, be exploitable by an attacker to execute arbitrary code on the victim's machine. The buffer overflow is located in the code that handles output filenames, which have been specified by using the "-o" command line parameter. Remotely exploiting this buffer overflow would require an automated system that allowed the attacker to specify the output filename.

Affected users should watch their vendors for a repaired version of sharutils.

Ethereal

The open source network sniffer Ethereal is vulnerable to multiple buffer overflows that may be exploitable by a remote attacker sending carefully crafted packets that are then processed by Ethereal either by reading the packet directly from the network or from a packet trace file. These buffer overflows were found in the 3GPP2 A11, Etheric, GPRS-LLC, IAPP, JXTA, and sFlow protocol dissectors.

It is strongly recommended that users upgrade to version 0.10.10, or newer, as soon as possible. If it is not possible to upgrade immediately, users should disable the affected protocol dissectors.

Midnight Commander

Midnight Commander, or mc, is a console-based file browser and management tool. A buffer overflow was discovered in the version of mc distributed with Debian GNU Linux. It is not known if this buffer overflow affects versions of mc included in other distributions of Linux.

Debian GNU Linux users should upgrade mc as soon as possible. Users of other distributions should watch their vendors for any updates.

mpg321

mpg321 is an MP3 music player with a command-line interface. Version 0.2.10 of mpg321 and earlier are reported to be vulnerable to a format-string-based vulnerability that can be exploited if the victim plays a carefully crafted MP3 file with a malformed ID3 tag in it. Successfully exploiting this vulnerability would result in arbitrary code being executed on the victim's machine.

OpenMosixView

OpenMosixView, a graphical front end for administering an OpenMosix cluster of Linux-based machines, is vulnerable under some conditions to a temporary-file-symbolic-link race condition that may be exploitable by a local use to remove arbitrary files on the system.

Affected user should watch for a repaired version and should evaluate their risk levels for using OpenMosixView before it has been repaired.

cdrecord

Under some conditions, the cdrecord utility is vulnerable to a temporary-file-symbolic-link race condition that can be abused to overwrite arbitrary files on the system with the permissions of the account executing cdrecord (often root). cdrecord is vulnerable to this attack only when "DEBUG" has been enabled in the "/etc/cdrecord/rscsi" configuration file. In most cases this will not be the default installation.

Concerned users should check "/etc/cdrecord/rscsi" and verify that "DEBUG" is not enabled.

grip

grip, a CD player and CD ripper for the Gnome desktop, is reported to be vulnerable to a buffer overflow in the code that handles information returned by CDDB servers. An attacker who controlled a CDDB server that the victim connects to could potentially execute arbitrary code on the victim's machine.

Affected users should watch their vendors for a repaired version and can disable automatic CDDB lookups if they are concerned.

ImageMagick

ImageMagick is a set of command-line utilities that can be used to create, modify, and display bitmap images. Multiple vulnerabilities have been reported in ImageMagick, including buffer overflows and format string vulnerabilities. Exploiting these vulnerabilities could result in arbitrary code being executed on the victim's machine.